HUAWEI USG6000, USG6000E, USG9500, NGFW Module Quick Configuration Guide (with Old Web UI)
Quick Configuration Guide
HUAWEI USG6000, USG6000E, USG9500, NGFW Module
Issue: 05 (2021-05-07)
Contents
Logging In to the Web Configuration Page 005
Example 1: Accessing the Internet Using a Static IP Address 008
Example 2: Accessing the Internet Using PPPoE 015
Example 3: Accessing the Internet Through Multiple ISP Networks 023
Example 4: NAPT-for-intranet-users-to-access-the-internet 032
Example 5: NAT Server for Internet Users to Access Intranet Servers 038
Example 6: Both Intranet and Internet Users Accessing an Intranet Server 046
Example 7: Site-to-Site IPSec Tunnel 054
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) 065
Example 9.1: L2TP over IPSec Access from Clients (SecoClient) 081
Contents
Example 9.2: L2TP over IPSec Access from Clients ( Windows XP ) 093
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) 104
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) 115
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) 126
Example 9.6: L2TP over IPSec Access from Clients (Android) 136
Example 9.7: L2TP over IPSec Access from Clients (iOS) 145
Example 10: SSL VPN Tunnel Access (Network Extension) 154
Example 11: Firewall Transparent Access for Load Balancing 169
Example 12: Active Standby Firewalls Attached to Layer-3 Devices 180
Example 13: Load Balancing Firewalls Attached to Layer-3 Devices 196
Contents
Example 14: Active Standby Backup in In-path Deployment 218
Example 15: Load Balancing in In-path Deployment 231
Example 16: Configuring Source Address-based PBR 245
Example 17: User-specific Bandwidth Management 254
Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) 264
Note:
This document is based on V500R001C50 and can be used as a reference for V500R001C50 and later versions.
Document content may vary according to version.
Logging In to the Web Configuration Page
Networking Diagram
192.168.0.* GE0/0/0
192.168.0.1/24
Network interface
User Firewall
Default Settings Support Browser Versions
Management Interface GE0/0/0 8.0 (or later versions)
IP Address 192.168.0.1/24 10.0 (or later versions)
The default username and password are available in
HUAWEI Security Products Default Usernames and
User Name/Password Passwords. If you have not obtained the access 17.0 (or later versions)
permission of the document, see Help on the website to
find out how to obtain it.
Logging In to the Web Configuration Page
Login Procedure (Internet Explorer for Example)
1
Set the IP address of the administrator 2
PC, within a range from 192.168.0.2 to
Open the browser on the administrator PC. In the
192.168.0.254.
address box, enter the default IP address of the
management interface (https://192.168.0.1:8443).
3
The browser displays an insecure
certificate warning. Select Continue to
this website (not recommended).
On the login page, you can click Download CA certificate to download the certificate
issued by the device and import the certificate to the browser on the administrator PC.
Then, the insecure certificate warning will not be displayed upon the next login.
Logging In to the Web Configuration Page
5
4 Log In to the Web
Enter the user name Configuration Page.
and password.
Web UI functional areas
Buttons
Tabs
Operation
Navigation Area
Tree
CLI
Console
Example 1: Accessing the Internet Using a Static IP Address Networking Diagram
Trust Untrust
PC
1.1.1.254
GE0/0/2 GE0/0/1
10.3.0.1/24 1.1.1.1/24
Intranet
Firewall Router
PC
All PCs on the LAN are deployed on subnet 10.3.0.0/24. They dynamically obtain IP addresses through DHCP.
The static IP address that the enterprise obtains from the carrier is 1.1.1.1, with a 24-bit subnet mask. The enterprise accesses the Internet
through the firewall.
Item Data Description
DNS server 1.2.2.2/24 Obtained from the carrier
Gateway IP address 1.1.1.254/24 Obtained from the carrier
Example 1: Accessing the Internet Using a Static IP Address Step1 Configure Interfaces
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Example 1: Accessing the Internet Using a Static IP Address Step2 Configure the DHCP Service
1
3
2
4
Configure the DHCP
service for LAN interface
GE0/0/2 to assign IP
addresses to PCs on the
LAN.
Example 1: Accessing the Internet Using a Static IP Address Step3 Configure Security Policy
1
2
3
4
Permit intranet IP addresses
to access the Internet.
Example 1: Accessing the Internet Using a Static IP Address Step4 Configure Source NAT
1
2
3
4
Add a source NAT policy for
intranet users to access the Internet
using a public IP address.
Example 1: Accessing the Internet Using a Static IP Address Step5 Verify the Configurations (1)
1
Both the physical and IPv4 states of interface GigabitEthernet 0/0/1 are Up.
Example 1: Accessing the Internet Using a Static IP Address Step5 Verify the Configurations (2)
2
Run the ipconfig /all command on the PC, the correct IP addresses of the PC and DNS server are obtained.
3
The PC on the LAN can use domain names to access the Internet.
Example 2: Accessing the Internet Using PPPoE Networking Diagram
Trust Untrust
10.3.0.0/24
Firewall
GE0/0/2
10.3.0.1/24 GE0/0/1
Intranet
PPPoE Client PPPoE Server
All PCs on the LAN are deployed on subnet 10.3.0.0/24. They dynamically obtain IP addresses through DHCP.
The firewall, acting as a client, obtains an IP address by dialing up to the carrier's server through PPPoE for Internet access.
Item Data Description
GigabitEthernet 0/0/1 Security zone: Untrust Obtains an IP address and a DNS address from the PPPoE
server (deployed by the carrier) through dial-up.
Dial-up user name: user
Dial-up password: Password@
GigabitEthernet 0/0/2 IP address: 10.3.0.1/24 Uses DHCP to dynamically assign IP addresses to PCs on the
Security zone: Trust LAN.
DNS server 1.2.2.2/24 Obtains the address from the carrier.
Example 2: Accessing the Internet Using PPPoE Step1 Configure Interfaces
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Example 2: Accessing the Internet Using PPPoE Step2 Configure the DHCP Service
1
3
2
4
Configure the DHCP
service for LAN interface
GE0/0/2 to assign IP
addresses to PCs on the
LAN.
Example 2: Accessing the Internet Using PPPoE Step3 Configure Security Policy
1
2
3
4
Permit intranet IP addresses
to access the Internet.
Example 2: Accessing the Internet Using PPPoE Step4 Configure Source NAT
1
2
3
4
Add a source NAT policy for
intranet users to access the Internet
using a public IP address.
Example 2: Accessing the Internet Using PPPoE Step5 Configure Default Route
1
2
3
4
Configure a default route to ensure that
intranet users are routable to the Internet.
Example 2: Accessing the Internet Using PPPoE Step6 Verify the Configurations (1)
1
Both the physical and IPv4 states of interface GigabitEthernet 0/0/1 are Up.
Example 2: Accessing the Internet Using PPPoE Step6 Verify the Configurations (2)
2
Run the ipconfig /all command on the PC, the correct IP addresses of the PC and DNS server are obtained.
3
The PC on the LAN can use domain names to access the Internet.
Example 3: Accessing the Internet Through Multiple ISP Networks Networking diagram
Trust Untrust
Student
Education
network GE1/0/3 network
PC 10.3.0.1/24
FW
PC GE1/0/4
Teacher 10.3.1.1/24
network
Untrust1
A college deploys a firewall as a security gateway on the campus network. PCs on the student network can access the Internet only through the
education network, and PCs on the teacher network can access the Internet only through the ISP network.
Item pbr_1 pbr_2
Type Inbound Interface Inbound Interface
Inbound Interface GE1/0/3 GE1/0/4
Source Address 10.3.0.0/24 10.3.1.0/24
Action PBR PBR
Egress Type Single Single
Outbound Interface GE1/0/2 GE1/0/1
Next Hop 2.2.2.254 1.1.1.254
Example 3: Accessing the Internet Through Multiple ISP Networks Step1 Configure security zones
1
2
3
4
Create security zone untrust1
Example 3: Accessing the Internet Through Multiple ISP Networks Step2 Configure the interfaces (1)
2 1
3
5
4 6
Set WAN nterface parameters Set WAN interface parameters
Example 3: Accessing the Internet Through Multiple ISP Networks Step2 Configure the interfaces (2)
2 1
3
5
4 6
Set LAN nterface parameters Set LAN interface parameters
Example 3: Accessing the Internet Through Multiple ISP Networks Step3 Configure security policies
2 1
3
4 5
Allow PCs on the student network Allow PCs on the teacher network
to access the Internet to access the Internet
Example 3: Accessing the Internet Through Multiple ISP Networks Step4 Configure source NAT address
pools
1
2
3
4 5
Create NAT address pool addres_1 Create NAT address pool addres_2
Example 3: Accessing the Internet Through Multiple ISP Networks Step5 Configure source NAT policies
1
2
3
4 5
Perform address translation Perform address translation
when PCs on the student when PCs on the teacher
network access the Internet. network access the Internet.
Example 3: Accessing the Internet Through Multiple ISP Networks Step6 Configure PBR routes
1
2
3 PCs on the student network
access the Internet through PCs on the teacher network
GigabitEthernet 1/0/2 over access the Internet through
the education network. GigabitEthernet 1/0/1.
4 5
Example 3: Accessing the Internet Through Multiple ISP Networks Step7 Verify the configurations
PCs on the student network access the Internet through GigabitEthernet 1/0/2 over the education network.
PCs on the teacher network access the Internet through GigabitEthernet 1/0/1 over the ISP network.
Session table information when the PC 10.3.0.2 of a student and the PC 10.3.1.2 of a teacher access extranet host 10.30.1.1 respectively.
Example 4: NAPT for Intranet Users to Access the Internet Networking diagram
PC_A
Source NAT policy
Intranet Internet
10.1.1.0/24 10.1.2.1/24 GE1/0/1 GE1/0/3 10.1.2.2/24 1.1.1.1/24
VLAN100 FW VLAN100
Aggregation trust untrust Egress gateway ISP
switch
PC_B
The firewall is deployed at the border of a network in transparent mode. Its uplink and downlink service interfaces work at Layer 2 mode.
A Source NAT policy is configured on the firewall to allow users in network segment 10.1.1.0/24 to access the Internet.
Item Data Description
Intranet segment that is allowed
10.1.1.0/24 -
to access the Internet
As private addresses far outnumber public addresses, one-to-
Public addresses mapped to
1.1.1.10 to 1.1.1.15 one mapping cannot be implemented. To translate all private
private addresses
addresses into public addresses, enable port translation.
Routing loops are made between the aggregation switch and
Black-hole routes on the Destination address: 1.1.1.10 to 1.1.1.15
egress gateway to prevent Internet users from accessing the
aggregation switch Next hop: NULL 0
after-NAT public addresses.
Static routes on the egress Destination address: 1.1.1.10 to 1.1.1.15
Configure a static route with a 32-bit destination address.
gateway Next hop: 10.1.2.1
As the post-NAT public addresses do not correspond to ports,
Destination address: 1.1.1.10 to 1.1.1.15 routing protocols cannot discover such routes. Therefore, you
Static routes on the ISP router
Next hop address: 1.1.1.1 must configure static routes to the public addresses on the
ISP router.
Example 4: NAPT for Intranet Users to Access the Internet Step1 Configure the interfaces on FW
2 1
3
5
4 6
Set LAN interface parameters. Set WAN interface parameters.
Example 4: NAPT for Intranet Users to Access the Internet Step2 Configure security policies on FW
1
2
3
4
Allow intranet users
to access the Internet.
Example 4: NAPT for Intranet Users to Access the Internet Step3 Configure a NAT address pool on FW
1
2
3
4
Configure a NAT address
pool to provide public
addresses for intranet users.
Example 4: NAPT for Intranet Users to Access the Internet Step4 Configure NAT policies on FW
1
2
3
4
Configure a NAT policy for access
from the intranet to the Internet.
Example 4: NAPT for Intranet Users to Access the Internet Step5 Verify the configurations
1
Intranet hosts can access the Internet.
2
The Source NAT policy table shows that the Source NAT policy has been matched.
Example 5: NAT Server for Internet Users to Access Intranet Servers Networking diagram
FTP Server
10.2.0.8/24 ISP1
GE1/0/2
10.1.2.1/24 untrust1
10.2.0.0/24
FW
ISP2
trust
untrust2
A firewall is deployed at the network border as a security gateway. It accesses the Internet through two ISP networks.
In this example, NAT Server is configured on the firewall to provide different service addresses of intranet servers for users on the ISP networks.
Item Data Description
Public IP address: 1.1.1.10
Private IP address: 10.2.0.8 When Internet users send traffic to 1.1.1.10, the FW
NAT Server1 Public port: 21 can forward the traffic to the FTP server based on this
Private port: 21 mapping entry.
Zone: untrust1
Public IP address: 2.2.2.20
Private IP address: 10.2.0.8 When Internet users send traffic to 2.2.2.10, the FW
NAT Server2 Public port: 21 can forward the traffic to the FTP server based on this
Private port: 21 mapping entry.
zone: untrust2
Destination address: 1.1.1.10 -
Static routes on the ISP1 router
Next hop address: 1.1.1.1
Destination address: 2.2.2.10 -
Static routes on the ISP2 router
Next hop address: 2.2.2.2
Example 5: NAT Server for Internet Users to Access Intranet Servers Step1 Create security zone on FW
1
2
3
Create security zones untrust1 and untrust2.
4
Example 5: NAT Server for Internet Users to Access Intranet Servers Step2 Configure the interfaces on
FW (1)
2 1
3
4 6 5
Set parameters for the interface Set parameters for the interface
connecting to the ISP1 network. connecting to the ISP2 network.
Example 5: NAT Server for Internet Users to Access Intranet Servers Step2 Configure the interfaces on
FW (2)
2 1
3
4
Set LAN interface parameters.
Example 5: NAT Server for Internet Users to Access Intranet Servers Step3 Configure security policies on
FW
2 1
3
4
Allow Internet users to
access intranet servers.
Example 5: NAT Server for Internet Users to Access Intranet Servers Step4 Configure NAT Server on FW
1
2
3
Configure server mappings policy_ftp1 and policy_ftp2.
4
Example 5: NAT Server for Internet Users to Access Intranet Servers Step5 Enable NAT ALG for FTP
1
3
2
Example 5: NAT Server for Internet Users to Access Intranet Servers Step6 Verify the configurations
1
Internet users can access intranet servers through different ISP networks.
2
Click Diagnose to view the server mapping status. If the current state is Connected, the intranet server is reachable.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Networking Diagram
PC Trust Untrust
10.3.0.31/24 10.3.0.0/24
GE0/0/2 GE0/0/1
10.3.0.1/24 1.1.1.1/24
Intranet 1.1.1.254/24
Firewall Router
FTP Server
10.3.0.30/24
Both intranet users and the FTP server for Internet users reside on subnet 10.3.0.0/24 in the Trust zone.
The enterprise uses a fixed IP address provided by the ISP to access the Internet.
Both intranet and Internet users use the public IP address 1.1.1.2 and port 2121 to access the FTP server, and intranet users use public IP
address 1.1.1.1 to access the Internet.
Item Data Description
GigabitEthernet 0/0/2 Security zone: Trust FTP server uses 10.3.0.1 as the default gateway address.
IP address: 10.3.0.1/24
GigabitEthernet 0/0/1 Security zone: Untrust 1.1.1.1/24 is a public address provided by the ISP.
IP address: 1.1.1.1/24
FTP server Public IP address : 1.1.1.2 -
Public port: 2121
DNS server 1.2.2.2/24 Obtained from the ISP.
Gateway IP address 1.1.1.254/24 Obtained from the ISP.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step1 Configure Interfaces
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step2 Configure Security Policy
1
2
3
4 5
Permit intranet users to Permit Internet users to
access the Internet. access the intranet FTP server.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step3 Create NAT Address Pool
1
2 3
4
5
Configure a public IP
address 1.1.1.1 in a
NAT address pool.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step4 Configure Source NAT
1
2 3
4 5
Add a source NAT policy for Add a source NAT policy for
intranet users to access the intranet users to access the public
Internet using a public IP address. IP address of the FTP server.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step5 Configure Server Mapping
1
2
3
4
Map the private IP address of
the FTP server to public IP
address 1.1.1.2.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step6 Configure NAT ALG
1
3
2
4 By default, the NAT ALG
is enabled for FTP.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step7 Verify the Configurations
1. The PC on the LAN can access the Internet.
2. Internet users can access public IP address 1.1.1.2 and port 2121 of the FTP server.
3. Intranet users can access public IP address 1.1.1.2 and port 2121 of the FTP server.
4. Choose Policy > NAT Policy > Source NAT on the firewall to view the number of packets that match the configured source NAT policy.
5. Choose Monitor > Session Table on the firewall to view NAT information. check for the entries in which the destination address is 1.1.1.2. To
view the port translation information, click of the corresponding entry.
Example 7: Site-to-Site IPSec Tunnel Networking diagram
IPSec tunnel
Network A Network B
Firewall_A Firewall_B
10.1.1.1/24 1.1.3.1/24 1.1.5.1/24 10.1.2.1/24
GE1/0/3 GE1/0/1 GE1/0/1 GE1/0/3
Trust Untrust Untrust Trust
Firewall_A and Firewall_B are egress gateways of Network A and Network B respectively, using fixed IP addresses to access the Internet.
Firewall_A and Firewall_B are reachable to each other.
Firewall_A and Firewall_B establish site-to-site IPSec tunnels in IKE negotiation mode so that the devices on both Network A and Network B can
proactively initiate connections to the peer network.
Item Firewall_A Firewall_B
Scenario Site-to-Site Site-to-Site
Peer IP Address 1.1.5.1 1.1.3.1
Authentication Type Pre-Shared Key Pre-Shared Key
Pre-Shared Key Admin@123 Admin@123
Local ID IP Address IP Address
Peer ID IP Address IP Address
Example 7: Site-to-Site IPSec Tunnel Step1 Configure the interfaces on Firewall_A
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Example 7: Site-to-Site IPSec Tunnel Step2 Configure security policies on Firewall_A
2 1
3
4
Permit private IP addresses
on Network A to connect to
the private IP addresses on
Network B.
5
Permit private IP addresses
on Network B to connect to
the private IP addresses on
Network A.
6
Permit Firewall_A to connect
to the public IP address of
Firewall_B.
7
Permit Firewall_B to use its
public IP address to connect
to Firewall_A.
Example 7: Site-to-Site IPSec Tunnel Step3 Configure routes on Firewall_A
1
2
3
4
Configure a route to private IP addresses on Network
B. In the example, the next-hop IP address from
Firewall_A to the Internet is 1.1.3.2.
Example 7: Site-to-Site IPSec Tunnel Step4 Configure IPSec on Firewall_A
In the example, all IPSec proposal parameters use
the default values. If you have specific requirements
1
3 on these parameters, change them, but ensure that
they are consistent with those on Firewall_B.
4
Select a scenario
2 and complete
basic settings.
The Pre-Shared Key
is Admin@123.
8
Configure an
IKE/IPSec proposal.
5
6
7 Add a data flow to be encrypted.
Example 7: Site-to-Site IPSec Tunnel Step5 Configure the interfaces on Firewall_B
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Example 7: Site-to-Site IPSec Tunnel Step6 Configure security policies on Firewall_B
2 1
3
4
Permit private IP addresses
on Network B to connect to
the private IP addresses on
Network A.
5
Permit private IP addresses
on Network A to connect to
the private IP addresses on
Network B.
6
Permit Firewall_B to connect
to the public IP address of
Firewall_A.
7
Permit Firewall_A to use its
public IP address to connect
to Firewall_B.
Example 7: Site-to-Site IPSec Tunnel Step7 Configure routes on Firewall_B
1
2
3
4
Configure a route to private IP addresses on Network A.
In the example, the next-hop IP address from Firewall_B
to the Internet is 1.1.5.2.
Example 7: Site-to-Site IPSec Tunnel Step8 Configure IPSec on Firewall_B
In the example, all IPSec proposal parameters use
the default values. If you have specific requirements
1
3 on these parameters, change them, but ensure that
they are consistent with those on Firewall_A.
4
Select a scenario
2 and complete
basic settings.
The Pre-Shared Key
is Admin@123.
8
Configure an
IKE/IPSec proposal.
5
7 6
Add a data flow to be encrypted.
Example 7: Site-to-Site IPSec Tunnel Step9 Verify the configurations (1)
After the configuration is complete, view the IPSec policy list and IPSec tunnel monitoring information. You can view the established IPSec tunnel.
Use a host on Network A to access a host or server on Network B. The access succeeds. Use a host on Network B to access a host or server on
Network A. The access also succeeds.
IPSec policy list and IPSec tunnel monitoring information on Firewall_A.
After the configuration is complete, if no IPSec tunnel is established,
click Diagnose to check for the cause and solution.
Example 7: Site-to-Site IPSec Tunnel Step9 Verify the configurations (2)
IPSec policy list and IPSec tunnel monitoring information on Firewall_B.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Networking diagram
GE1/0/3
IPSec Tunnel 1 10.1.2.1/24 Firewall_A is the egress gateway of the headquarters.
Trust
Firewall_B and Firewall_C are egress gateways of
GE1/0/1
GE1/0/3 GE1/0/1 Untrust
branches 1 and 2, respectively. Firewall_A uses a
10.1.1.1/24 1.1.3.1/24
Branch 1
Trust Untrust fixed IP address to access the Internet. Firewall_B and
FW_B Firewall_C use dynamically obtained IP addresses to
PC2
Headquarters GE1/0/3 10.1.2.2/24 access the Internet.
10.1.3.1/24
Trust
FW_A
IPSec tunnels are established between Firewall_A and
PC1
10.1.1.2/24 GE1/0/1 Branch 2 Firewall_B and between Firewall_A and Firewall_C, so
Untrust
FW_C that PCs in branches 1 and 2 can initiate connections
PC3 to the headquarters (the headquarters is not allowed
IPSec Tunnel 2 10.1.3.2/24
to initiate connections to branches).
Item Firewall_A (Headquarters) Firewall_B (Branch 1) Firewall_C (Branch 2)
Scenario Site-to-Multisite Site-to-Site Site-to-Site
Peer IP Address - 1.1.3.1 1.1.3.1
Authentication Type Pre-Shared Key Pre-Shared Key Pre-Shared Key
Pre-Shared Key Admin@123 Admin@123 Admin@123
Local ID IP Address IP Address IP Address
Peer ID any IP Address IP Address
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step1 Configure the interfaces on Firewall_A
2 1
3
4 6 5
Set WAN interface parameters. Set LAN interface parameters.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step2 Configure security policies on Firewall_A
1
2
3
4
Allow the private IP address
of the headquarters to access
the private IP addresses of
branches 1 and 2.
5
Allow the private IP addresses
of branches 1 and 2 to access
the private IP address of the
headquarters.
6
Allow the public IP addresses
of branches 1 and 2 to access
Firewall_A.
7
Allow Firewall_A to access
the public IP address of
branches 1 and 2.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step3 Configure routes on Firewall_A
1
2
3
4 5
Configure a route to private IP addresses of the Configure a route to private IP addresses of the
branch 1. In the example, the next-hop IP address branch 2. In the example, the next-hop IP address
from Firewall_A to the Internet is 1.1.3.2. from Firewall_A to the Internet is 1.1.3.2.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step4 Configure IPSec on Firewall_A
1
3 Configure an IPSec policy.
4
2
6
Add the data flow (from the
headquarters to branch 1)
to be encrypted.
7
Add the data flow (from the
headquarters to branch 2)
to be encrypted.
5
If the static routes to branches are not configured based on step 3, select Reverse Route Injection in
the Data Flow to Be Encrypted area, so that the private routes from the headquarters to branches are
automatically generated.
This example uses the default values of proposal parameters. You can change the values as required.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step5 Configure the interfaces on Firewall_B
2 1
3
4 5
Configure the interface connecting
to the Internet. In this example, the 6
connection type is DHCP. Set LAN interface parameters.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step6 Configure security policies on Firewall_B
1
2
3
4
Allow the private IP address
of branch 1 to access the
private IP address of the
headquarters.
5
Allow private IP address of
the headquarters to access
the private IP address of
branch 1.
6
Allow the public IP address
of the headquarters to
access Firewall_B.
7
Allow Firewall_B to access
the public IP address of the
headquarters.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step7 Configure routes on Firewall_B
1
2
3
4
Configure a route to the private
address of the headquarters.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step8 Configure IPSec on Firewall_B
This example uses the default
values of proposal parameters.
1
You can change the values as
Select a scenario and
3 complete basic settings. required.
4
2
8
Configure an
IKE/IPSec
proposal.
6
5 Add the data flow
(from branch 1 to
the headquarters)
to be encrypted.
7
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step9 Configure the interfaces on Firewall_C
2 1
3
4 5
Configure the interface connecting
to the Internet. In this example, the 6
connection type is DHCP. Set LAN interface parameters.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step10 Configure security policies on Firewall_C
1
2
3
4
Allow the private IP address
of branch 2 to access the
private IP address of the
headquarters.
5
Allow private IP address of
the headquarters to access
the private IP address of
branch 2.
6
Allow the public IP address
of the headquarters to
access Firewall_C.
7
Allow Firewall_C to access
the public IP address of the
headquarters.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step11 Configure routes on Firewall_C
1
2
3
4
Configure a route to the private
address of the headquarters.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step12 Configure IPSec on Firewall_C
This example uses the default
values of proposal parameters.
1
You can change the values as
Select a scenario and
3 required.
complete basic settings.
4
2 8
Configure an
IKE/IPSec
proposal.
5 6
Add the data flow
(from branch 2 to
the headquarters)
to be encrypted.
7
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step 13 Verify the configuration (1)
After the configuration is complete, query the IPSec policy list and IPSec monitoring list. The established IPSec tunnels are displayed. Use a PC
in a branch to access a PC or server at the headquarters. The access succeeds.
If the IPSec tunnels are not
Query the IPSec policy list and IPSec monitoring list on Firewall_A.
successfully established, click
Diagnose to query the cause and
solution.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step 13 Verify the configuration (2)
Query the IPSec policy list and IPSec monitoring list on Firewall_B.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step 13 Verify the configuration (3)
Query the IPSec policy list and IPSec monitoring list on Firewall_C.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Networking diagram
The LAC client connects to the LNS at the headquarters over the Internet. The LAC client is required to initiate a connection request directly to
the LNS, and the communication data with the LNS is transmitted through a tunnel. Firstly, L2TP is used to encapsulate the Layer-2 data for
identity authentication, and then IPSec is used to encrypt the data.
Item Data
Group name: default
User name: user0001
L2TP settings Password: Password@123
Address pool: pool 172.16.1.1 to 172.16.1.100
LNS Tunnel Password Authentication: Hello@123
Pre-shared key: Admin@123
IPSec settings Local ID: IP address
Peer ID: any peer ID
User authentication name: user0001
L2TP settings Password: Password@123
LAC Tunnel Password Authentication: Hello@123
Pre-shared key: Admin@123
IPSec settings
Peer address: 1.1.1.1/24
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step1 Configure interfaces
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step2 Configure security policies
1
2
3
4
Permit LAC clients to
communicate with
the firewall.
5
Permits the firewall to
communicate with
LAC clients.
6
Permit LAC clients to
access the servers in
the headquarters.
7
Permit servers at the
headquarters to access
the Internet.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step3 Configure routes
1
2
3
4
Configure a route to Internet. In the
example, the next-hop IP address from
Firewall to the Internet is 1.1.1.2.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step4 Configure L2TP users
1
3
Select L2TP/L2TP over IPSec for
Scenario and Local for User Location.
2
4 In the example, the user name is user0001,
and the password is Password@123.
5
Add a L2TP user.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step5 Add an IP pool
1
3
2
4
Add an IP address pool named pool,
the pool range is 172.16.1.1 to
172.16.1.100.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step6 Configure L2TP over IPSec
Configure the IKE/IPSec
proposal.
Set Scenario and 8
1 Peer Type, then
3 complete the basic
configuration.
4
2
In the example, the
pre-shared key is
Admin@123.
5
Add IP pool.
6
Add and set the following
parameters to configure
a data flow rule.
7
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step7 Configure L2TP group
1
3
Enable L2TP.
2
4 In the example, the tunnel
password is Hello@123.
5
Create a L2TP group.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step8 Configure SecoClient (1)
Set L2TP connection parameters.
The SecoClient is VPN remote access client software 3
provided by Huawei. It provides secure and convenient
access services for mobile office users to remotely access
resources in an enterprise network. Currently, you can
search and download the SecoClient on Huawei enterprise
support website http://support.huawei.com/enterprise.
Open the SecoClient.
1
4
2 Enable the tunnel authentication, the
Create a new connection. authentication password is Hello@123.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step8 Configure SecoClient (2)
Select Pre-shared Key, the pre-shared Complete the IKE Basic
key is Admin@123. Configuration.
3
1
Select Enable IPSec Protocol.
2
Complete the IPSec Configuration.
HUAWEI USG6000, USG6000E, USG9500, NGFW Module
Issue: 05 (2021-05-07)
Contents
Logging In to the Web Configuration Page 005
Example 1: Accessing the Internet Using a Static IP Address 008
Example 2: Accessing the Internet Using PPPoE 015
Example 3: Accessing the Internet Through Multiple ISP Networks 023
Example 4: NAPT-for-intranet-users-to-access-the-internet 032
Example 5: NAT Server for Internet Users to Access Intranet Servers 038
Example 6: Both Intranet and Internet Users Accessing an Intranet Server 046
Example 7: Site-to-Site IPSec Tunnel 054
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) 065
Example 9.1: L2TP over IPSec Access from Clients (SecoClient) 081
Contents
Example 9.2: L2TP over IPSec Access from Clients ( Windows XP ) 093
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) 104
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) 115
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) 126
Example 9.6: L2TP over IPSec Access from Clients (Android) 136
Example 9.7: L2TP over IPSec Access from Clients (iOS) 145
Example 10: SSL VPN Tunnel Access (Network Extension) 154
Example 11: Firewall Transparent Access for Load Balancing 169
Example 12: Active Standby Firewalls Attached to Layer-3 Devices 180
Example 13: Load Balancing Firewalls Attached to Layer-3 Devices 196
Contents
Example 14: Active Standby Backup in In-path Deployment 218
Example 15: Load Balancing in In-path Deployment 231
Example 16: Configuring Source Address-based PBR 245
Example 17: User-specific Bandwidth Management 254
Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) 264
Note:
This document is based on V500R001C50 and can be used as a reference for V500R001C50 and later versions.
Document content may vary according to version.
Logging In to the Web Configuration Page
Networking Diagram
192.168.0.* GE0/0/0
192.168.0.1/24
Network interface
User Firewall
Default Settings Support Browser Versions
Management Interface GE0/0/0 8.0 (or later versions)
IP Address 192.168.0.1/24 10.0 (or later versions)
The default username and password are available in
HUAWEI Security Products Default Usernames and
User Name/Password Passwords. If you have not obtained the access 17.0 (or later versions)
permission of the document, see Help on the website to
find out how to obtain it.
Logging In to the Web Configuration Page
Login Procedure (Internet Explorer for Example)
1
Set the IP address of the administrator 2
PC, within a range from 192.168.0.2 to
Open the browser on the administrator PC. In the
192.168.0.254.
address box, enter the default IP address of the
management interface (https://192.168.0.1:8443).
3
The browser displays an insecure
certificate warning. Select Continue to
this website (not recommended).
On the login page, you can click Download CA certificate to download the certificate
issued by the device and import the certificate to the browser on the administrator PC.
Then, the insecure certificate warning will not be displayed upon the next login.
Logging In to the Web Configuration Page
5
4 Log In to the Web
Enter the user name Configuration Page.
and password.
Web UI functional areas
Buttons
Tabs
Operation
Navigation Area
Tree
CLI
Console
Example 1: Accessing the Internet Using a Static IP Address Networking Diagram
Trust Untrust
PC
1.1.1.254
GE0/0/2 GE0/0/1
10.3.0.1/24 1.1.1.1/24
Intranet
Firewall Router
PC
All PCs on the LAN are deployed on subnet 10.3.0.0/24. They dynamically obtain IP addresses through DHCP.
The static IP address that the enterprise obtains from the carrier is 1.1.1.1, with a 24-bit subnet mask. The enterprise accesses the Internet
through the firewall.
Item Data Description
DNS server 1.2.2.2/24 Obtained from the carrier
Gateway IP address 1.1.1.254/24 Obtained from the carrier
Example 1: Accessing the Internet Using a Static IP Address Step1 Configure Interfaces
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Example 1: Accessing the Internet Using a Static IP Address Step2 Configure the DHCP Service
1
3
2
4
Configure the DHCP
service for LAN interface
GE0/0/2 to assign IP
addresses to PCs on the
LAN.
Example 1: Accessing the Internet Using a Static IP Address Step3 Configure Security Policy
1
2
3
4
Permit intranet IP addresses
to access the Internet.
Example 1: Accessing the Internet Using a Static IP Address Step4 Configure Source NAT
1
2
3
4
Add a source NAT policy for
intranet users to access the Internet
using a public IP address.
Example 1: Accessing the Internet Using a Static IP Address Step5 Verify the Configurations (1)
1
Both the physical and IPv4 states of interface GigabitEthernet 0/0/1 are Up.
Example 1: Accessing the Internet Using a Static IP Address Step5 Verify the Configurations (2)
2
Run the ipconfig /all command on the PC, the correct IP addresses of the PC and DNS server are obtained.
3
The PC on the LAN can use domain names to access the Internet.
Example 2: Accessing the Internet Using PPPoE Networking Diagram
Trust Untrust
10.3.0.0/24
Firewall
GE0/0/2
10.3.0.1/24 GE0/0/1
Intranet
PPPoE Client PPPoE Server
All PCs on the LAN are deployed on subnet 10.3.0.0/24. They dynamically obtain IP addresses through DHCP.
The firewall, acting as a client, obtains an IP address by dialing up to the carrier's server through PPPoE for Internet access.
Item Data Description
GigabitEthernet 0/0/1 Security zone: Untrust Obtains an IP address and a DNS address from the PPPoE
server (deployed by the carrier) through dial-up.
Dial-up user name: user
Dial-up password: Password@
GigabitEthernet 0/0/2 IP address: 10.3.0.1/24 Uses DHCP to dynamically assign IP addresses to PCs on the
Security zone: Trust LAN.
DNS server 1.2.2.2/24 Obtains the address from the carrier.
Example 2: Accessing the Internet Using PPPoE Step1 Configure Interfaces
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Example 2: Accessing the Internet Using PPPoE Step2 Configure the DHCP Service
1
3
2
4
Configure the DHCP
service for LAN interface
GE0/0/2 to assign IP
addresses to PCs on the
LAN.
Example 2: Accessing the Internet Using PPPoE Step3 Configure Security Policy
1
2
3
4
Permit intranet IP addresses
to access the Internet.
Example 2: Accessing the Internet Using PPPoE Step4 Configure Source NAT
1
2
3
4
Add a source NAT policy for
intranet users to access the Internet
using a public IP address.
Example 2: Accessing the Internet Using PPPoE Step5 Configure Default Route
1
2
3
4
Configure a default route to ensure that
intranet users are routable to the Internet.
Example 2: Accessing the Internet Using PPPoE Step6 Verify the Configurations (1)
1
Both the physical and IPv4 states of interface GigabitEthernet 0/0/1 are Up.
Example 2: Accessing the Internet Using PPPoE Step6 Verify the Configurations (2)
2
Run the ipconfig /all command on the PC, the correct IP addresses of the PC and DNS server are obtained.
3
The PC on the LAN can use domain names to access the Internet.
Example 3: Accessing the Internet Through Multiple ISP Networks Networking diagram
Trust Untrust
Student
Education
network GE1/0/3 network
PC 10.3.0.1/24
FW
PC GE1/0/4
Teacher 10.3.1.1/24
network
Untrust1
A college deploys a firewall as a security gateway on the campus network. PCs on the student network can access the Internet only through the
education network, and PCs on the teacher network can access the Internet only through the ISP network.
Item pbr_1 pbr_2
Type Inbound Interface Inbound Interface
Inbound Interface GE1/0/3 GE1/0/4
Source Address 10.3.0.0/24 10.3.1.0/24
Action PBR PBR
Egress Type Single Single
Outbound Interface GE1/0/2 GE1/0/1
Next Hop 2.2.2.254 1.1.1.254
Example 3: Accessing the Internet Through Multiple ISP Networks Step1 Configure security zones
1
2
3
4
Create security zone untrust1
Example 3: Accessing the Internet Through Multiple ISP Networks Step2 Configure the interfaces (1)
2 1
3
5
4 6
Set WAN nterface parameters Set WAN interface parameters
Example 3: Accessing the Internet Through Multiple ISP Networks Step2 Configure the interfaces (2)
2 1
3
5
4 6
Set LAN nterface parameters Set LAN interface parameters
Example 3: Accessing the Internet Through Multiple ISP Networks Step3 Configure security policies
2 1
3
4 5
Allow PCs on the student network Allow PCs on the teacher network
to access the Internet to access the Internet
Example 3: Accessing the Internet Through Multiple ISP Networks Step4 Configure source NAT address
pools
1
2
3
4 5
Create NAT address pool addres_1 Create NAT address pool addres_2
Example 3: Accessing the Internet Through Multiple ISP Networks Step5 Configure source NAT policies
1
2
3
4 5
Perform address translation Perform address translation
when PCs on the student when PCs on the teacher
network access the Internet. network access the Internet.
Example 3: Accessing the Internet Through Multiple ISP Networks Step6 Configure PBR routes
1
2
3 PCs on the student network
access the Internet through PCs on the teacher network
GigabitEthernet 1/0/2 over access the Internet through
the education network. GigabitEthernet 1/0/1.
4 5
Example 3: Accessing the Internet Through Multiple ISP Networks Step7 Verify the configurations
PCs on the student network access the Internet through GigabitEthernet 1/0/2 over the education network.
PCs on the teacher network access the Internet through GigabitEthernet 1/0/1 over the ISP network.
Session table information when the PC 10.3.0.2 of a student and the PC 10.3.1.2 of a teacher access extranet host 10.30.1.1 respectively.
Example 4: NAPT for Intranet Users to Access the Internet Networking diagram
PC_A
Source NAT policy
Intranet Internet
10.1.1.0/24 10.1.2.1/24 GE1/0/1 GE1/0/3 10.1.2.2/24 1.1.1.1/24
VLAN100 FW VLAN100
Aggregation trust untrust Egress gateway ISP
switch
PC_B
The firewall is deployed at the border of a network in transparent mode. Its uplink and downlink service interfaces work at Layer 2 mode.
A Source NAT policy is configured on the firewall to allow users in network segment 10.1.1.0/24 to access the Internet.
Item Data Description
Intranet segment that is allowed
10.1.1.0/24 -
to access the Internet
As private addresses far outnumber public addresses, one-to-
Public addresses mapped to
1.1.1.10 to 1.1.1.15 one mapping cannot be implemented. To translate all private
private addresses
addresses into public addresses, enable port translation.
Routing loops are made between the aggregation switch and
Black-hole routes on the Destination address: 1.1.1.10 to 1.1.1.15
egress gateway to prevent Internet users from accessing the
aggregation switch Next hop: NULL 0
after-NAT public addresses.
Static routes on the egress Destination address: 1.1.1.10 to 1.1.1.15
Configure a static route with a 32-bit destination address.
gateway Next hop: 10.1.2.1
As the post-NAT public addresses do not correspond to ports,
Destination address: 1.1.1.10 to 1.1.1.15 routing protocols cannot discover such routes. Therefore, you
Static routes on the ISP router
Next hop address: 1.1.1.1 must configure static routes to the public addresses on the
ISP router.
Example 4: NAPT for Intranet Users to Access the Internet Step1 Configure the interfaces on FW
2 1
3
5
4 6
Set LAN interface parameters. Set WAN interface parameters.
Example 4: NAPT for Intranet Users to Access the Internet Step2 Configure security policies on FW
1
2
3
4
Allow intranet users
to access the Internet.
Example 4: NAPT for Intranet Users to Access the Internet Step3 Configure a NAT address pool on FW
1
2
3
4
Configure a NAT address
pool to provide public
addresses for intranet users.
Example 4: NAPT for Intranet Users to Access the Internet Step4 Configure NAT policies on FW
1
2
3
4
Configure a NAT policy for access
from the intranet to the Internet.
Example 4: NAPT for Intranet Users to Access the Internet Step5 Verify the configurations
1
Intranet hosts can access the Internet.
2
The Source NAT policy table shows that the Source NAT policy has been matched.
Example 5: NAT Server for Internet Users to Access Intranet Servers Networking diagram
FTP Server
10.2.0.8/24 ISP1
GE1/0/2
10.1.2.1/24 untrust1
10.2.0.0/24
FW
ISP2
trust
untrust2
A firewall is deployed at the network border as a security gateway. It accesses the Internet through two ISP networks.
In this example, NAT Server is configured on the firewall to provide different service addresses of intranet servers for users on the ISP networks.
Item Data Description
Public IP address: 1.1.1.10
Private IP address: 10.2.0.8 When Internet users send traffic to 1.1.1.10, the FW
NAT Server1 Public port: 21 can forward the traffic to the FTP server based on this
Private port: 21 mapping entry.
Zone: untrust1
Public IP address: 2.2.2.20
Private IP address: 10.2.0.8 When Internet users send traffic to 2.2.2.10, the FW
NAT Server2 Public port: 21 can forward the traffic to the FTP server based on this
Private port: 21 mapping entry.
zone: untrust2
Destination address: 1.1.1.10 -
Static routes on the ISP1 router
Next hop address: 1.1.1.1
Destination address: 2.2.2.10 -
Static routes on the ISP2 router
Next hop address: 2.2.2.2
Example 5: NAT Server for Internet Users to Access Intranet Servers Step1 Create security zone on FW
1
2
3
Create security zones untrust1 and untrust2.
4
Example 5: NAT Server for Internet Users to Access Intranet Servers Step2 Configure the interfaces on
FW (1)
2 1
3
4 6 5
Set parameters for the interface Set parameters for the interface
connecting to the ISP1 network. connecting to the ISP2 network.
Example 5: NAT Server for Internet Users to Access Intranet Servers Step2 Configure the interfaces on
FW (2)
2 1
3
4
Set LAN interface parameters.
Example 5: NAT Server for Internet Users to Access Intranet Servers Step3 Configure security policies on
FW
2 1
3
4
Allow Internet users to
access intranet servers.
Example 5: NAT Server for Internet Users to Access Intranet Servers Step4 Configure NAT Server on FW
1
2
3
Configure server mappings policy_ftp1 and policy_ftp2.
4
Example 5: NAT Server for Internet Users to Access Intranet Servers Step5 Enable NAT ALG for FTP
1
3
2
Example 5: NAT Server for Internet Users to Access Intranet Servers Step6 Verify the configurations
1
Internet users can access intranet servers through different ISP networks.
2
Click Diagnose to view the server mapping status. If the current state is Connected, the intranet server is reachable.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Networking Diagram
PC Trust Untrust
10.3.0.31/24 10.3.0.0/24
GE0/0/2 GE0/0/1
10.3.0.1/24 1.1.1.1/24
Intranet 1.1.1.254/24
Firewall Router
FTP Server
10.3.0.30/24
Both intranet users and the FTP server for Internet users reside on subnet 10.3.0.0/24 in the Trust zone.
The enterprise uses a fixed IP address provided by the ISP to access the Internet.
Both intranet and Internet users use the public IP address 1.1.1.2 and port 2121 to access the FTP server, and intranet users use public IP
address 1.1.1.1 to access the Internet.
Item Data Description
GigabitEthernet 0/0/2 Security zone: Trust FTP server uses 10.3.0.1 as the default gateway address.
IP address: 10.3.0.1/24
GigabitEthernet 0/0/1 Security zone: Untrust 1.1.1.1/24 is a public address provided by the ISP.
IP address: 1.1.1.1/24
FTP server Public IP address : 1.1.1.2 -
Public port: 2121
DNS server 1.2.2.2/24 Obtained from the ISP.
Gateway IP address 1.1.1.254/24 Obtained from the ISP.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step1 Configure Interfaces
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step2 Configure Security Policy
1
2
3
4 5
Permit intranet users to Permit Internet users to
access the Internet. access the intranet FTP server.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step3 Create NAT Address Pool
1
2 3
4
5
Configure a public IP
address 1.1.1.1 in a
NAT address pool.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step4 Configure Source NAT
1
2 3
4 5
Add a source NAT policy for Add a source NAT policy for
intranet users to access the intranet users to access the public
Internet using a public IP address. IP address of the FTP server.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step5 Configure Server Mapping
1
2
3
4
Map the private IP address of
the FTP server to public IP
address 1.1.1.2.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step6 Configure NAT ALG
1
3
2
4 By default, the NAT ALG
is enabled for FTP.
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step7 Verify the Configurations
1. The PC on the LAN can access the Internet.
2. Internet users can access public IP address 1.1.1.2 and port 2121 of the FTP server.
3. Intranet users can access public IP address 1.1.1.2 and port 2121 of the FTP server.
4. Choose Policy > NAT Policy > Source NAT on the firewall to view the number of packets that match the configured source NAT policy.
5. Choose Monitor > Session Table on the firewall to view NAT information. check for the entries in which the destination address is 1.1.1.2. To
view the port translation information, click of the corresponding entry.
Example 7: Site-to-Site IPSec Tunnel Networking diagram
IPSec tunnel
Network A Network B
Firewall_A Firewall_B
10.1.1.1/24 1.1.3.1/24 1.1.5.1/24 10.1.2.1/24
GE1/0/3 GE1/0/1 GE1/0/1 GE1/0/3
Trust Untrust Untrust Trust
Firewall_A and Firewall_B are egress gateways of Network A and Network B respectively, using fixed IP addresses to access the Internet.
Firewall_A and Firewall_B are reachable to each other.
Firewall_A and Firewall_B establish site-to-site IPSec tunnels in IKE negotiation mode so that the devices on both Network A and Network B can
proactively initiate connections to the peer network.
Item Firewall_A Firewall_B
Scenario Site-to-Site Site-to-Site
Peer IP Address 1.1.5.1 1.1.3.1
Authentication Type Pre-Shared Key Pre-Shared Key
Pre-Shared Key Admin@123 Admin@123
Local ID IP Address IP Address
Peer ID IP Address IP Address
Example 7: Site-to-Site IPSec Tunnel Step1 Configure the interfaces on Firewall_A
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Example 7: Site-to-Site IPSec Tunnel Step2 Configure security policies on Firewall_A
2 1
3
4
Permit private IP addresses
on Network A to connect to
the private IP addresses on
Network B.
5
Permit private IP addresses
on Network B to connect to
the private IP addresses on
Network A.
6
Permit Firewall_A to connect
to the public IP address of
Firewall_B.
7
Permit Firewall_B to use its
public IP address to connect
to Firewall_A.
Example 7: Site-to-Site IPSec Tunnel Step3 Configure routes on Firewall_A
1
2
3
4
Configure a route to private IP addresses on Network
B. In the example, the next-hop IP address from
Firewall_A to the Internet is 1.1.3.2.
Example 7: Site-to-Site IPSec Tunnel Step4 Configure IPSec on Firewall_A
In the example, all IPSec proposal parameters use
the default values. If you have specific requirements
1
3 on these parameters, change them, but ensure that
they are consistent with those on Firewall_B.
4
Select a scenario
2 and complete
basic settings.
The Pre-Shared Key
is Admin@123.
8
Configure an
IKE/IPSec proposal.
5
6
7 Add a data flow to be encrypted.
Example 7: Site-to-Site IPSec Tunnel Step5 Configure the interfaces on Firewall_B
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Example 7: Site-to-Site IPSec Tunnel Step6 Configure security policies on Firewall_B
2 1
3
4
Permit private IP addresses
on Network B to connect to
the private IP addresses on
Network A.
5
Permit private IP addresses
on Network A to connect to
the private IP addresses on
Network B.
6
Permit Firewall_B to connect
to the public IP address of
Firewall_A.
7
Permit Firewall_A to use its
public IP address to connect
to Firewall_B.
Example 7: Site-to-Site IPSec Tunnel Step7 Configure routes on Firewall_B
1
2
3
4
Configure a route to private IP addresses on Network A.
In the example, the next-hop IP address from Firewall_B
to the Internet is 1.1.5.2.
Example 7: Site-to-Site IPSec Tunnel Step8 Configure IPSec on Firewall_B
In the example, all IPSec proposal parameters use
the default values. If you have specific requirements
1
3 on these parameters, change them, but ensure that
they are consistent with those on Firewall_A.
4
Select a scenario
2 and complete
basic settings.
The Pre-Shared Key
is Admin@123.
8
Configure an
IKE/IPSec proposal.
5
7 6
Add a data flow to be encrypted.
Example 7: Site-to-Site IPSec Tunnel Step9 Verify the configurations (1)
After the configuration is complete, view the IPSec policy list and IPSec tunnel monitoring information. You can view the established IPSec tunnel.
Use a host on Network A to access a host or server on Network B. The access succeeds. Use a host on Network B to access a host or server on
Network A. The access also succeeds.
IPSec policy list and IPSec tunnel monitoring information on Firewall_A.
After the configuration is complete, if no IPSec tunnel is established,
click Diagnose to check for the cause and solution.
Example 7: Site-to-Site IPSec Tunnel Step9 Verify the configurations (2)
IPSec policy list and IPSec tunnel monitoring information on Firewall_B.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Networking diagram
GE1/0/3
IPSec Tunnel 1 10.1.2.1/24 Firewall_A is the egress gateway of the headquarters.
Trust
Firewall_B and Firewall_C are egress gateways of
GE1/0/1
GE1/0/3 GE1/0/1 Untrust
branches 1 and 2, respectively. Firewall_A uses a
10.1.1.1/24 1.1.3.1/24
Branch 1
Trust Untrust fixed IP address to access the Internet. Firewall_B and
FW_B Firewall_C use dynamically obtained IP addresses to
PC2
Headquarters GE1/0/3 10.1.2.2/24 access the Internet.
10.1.3.1/24
Trust
FW_A
IPSec tunnels are established between Firewall_A and
PC1
10.1.1.2/24 GE1/0/1 Branch 2 Firewall_B and between Firewall_A and Firewall_C, so
Untrust
FW_C that PCs in branches 1 and 2 can initiate connections
PC3 to the headquarters (the headquarters is not allowed
IPSec Tunnel 2 10.1.3.2/24
to initiate connections to branches).
Item Firewall_A (Headquarters) Firewall_B (Branch 1) Firewall_C (Branch 2)
Scenario Site-to-Multisite Site-to-Site Site-to-Site
Peer IP Address - 1.1.3.1 1.1.3.1
Authentication Type Pre-Shared Key Pre-Shared Key Pre-Shared Key
Pre-Shared Key Admin@123 Admin@123 Admin@123
Local ID IP Address IP Address IP Address
Peer ID any IP Address IP Address
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step1 Configure the interfaces on Firewall_A
2 1
3
4 6 5
Set WAN interface parameters. Set LAN interface parameters.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step2 Configure security policies on Firewall_A
1
2
3
4
Allow the private IP address
of the headquarters to access
the private IP addresses of
branches 1 and 2.
5
Allow the private IP addresses
of branches 1 and 2 to access
the private IP address of the
headquarters.
6
Allow the public IP addresses
of branches 1 and 2 to access
Firewall_A.
7
Allow Firewall_A to access
the public IP address of
branches 1 and 2.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step3 Configure routes on Firewall_A
1
2
3
4 5
Configure a route to private IP addresses of the Configure a route to private IP addresses of the
branch 1. In the example, the next-hop IP address branch 2. In the example, the next-hop IP address
from Firewall_A to the Internet is 1.1.3.2. from Firewall_A to the Internet is 1.1.3.2.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step4 Configure IPSec on Firewall_A
1
3 Configure an IPSec policy.
4
2
6
Add the data flow (from the
headquarters to branch 1)
to be encrypted.
7
Add the data flow (from the
headquarters to branch 2)
to be encrypted.
5
If the static routes to branches are not configured based on step 3, select Reverse Route Injection in
the Data Flow to Be Encrypted area, so that the private routes from the headquarters to branches are
automatically generated.
This example uses the default values of proposal parameters. You can change the values as required.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step5 Configure the interfaces on Firewall_B
2 1
3
4 5
Configure the interface connecting
to the Internet. In this example, the 6
connection type is DHCP. Set LAN interface parameters.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step6 Configure security policies on Firewall_B
1
2
3
4
Allow the private IP address
of branch 1 to access the
private IP address of the
headquarters.
5
Allow private IP address of
the headquarters to access
the private IP address of
branch 1.
6
Allow the public IP address
of the headquarters to
access Firewall_B.
7
Allow Firewall_B to access
the public IP address of the
headquarters.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step7 Configure routes on Firewall_B
1
2
3
4
Configure a route to the private
address of the headquarters.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step8 Configure IPSec on Firewall_B
This example uses the default
values of proposal parameters.
1
You can change the values as
Select a scenario and
3 complete basic settings. required.
4
2
8
Configure an
IKE/IPSec
proposal.
6
5 Add the data flow
(from branch 1 to
the headquarters)
to be encrypted.
7
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step9 Configure the interfaces on Firewall_C
2 1
3
4 5
Configure the interface connecting
to the Internet. In this example, the 6
connection type is DHCP. Set LAN interface parameters.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step10 Configure security policies on Firewall_C
1
2
3
4
Allow the private IP address
of branch 2 to access the
private IP address of the
headquarters.
5
Allow private IP address of
the headquarters to access
the private IP address of
branch 2.
6
Allow the public IP address
of the headquarters to
access Firewall_C.
7
Allow Firewall_C to access
the public IP address of the
headquarters.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step11 Configure routes on Firewall_C
1
2
3
4
Configure a route to the private
address of the headquarters.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step12 Configure IPSec on Firewall_C
This example uses the default
values of proposal parameters.
1
You can change the values as
Select a scenario and
3 required.
complete basic settings.
4
2 8
Configure an
IKE/IPSec
proposal.
5 6
Add the data flow
(from branch 2 to
the headquarters)
to be encrypted.
7
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step 13 Verify the configuration (1)
After the configuration is complete, query the IPSec policy list and IPSec monitoring list. The established IPSec tunnels are displayed. Use a PC
in a branch to access a PC or server at the headquarters. The access succeeds.
If the IPSec tunnels are not
Query the IPSec policy list and IPSec monitoring list on Firewall_A.
successfully established, click
Diagnose to query the cause and
solution.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step 13 Verify the configuration (2)
Query the IPSec policy list and IPSec monitoring list on Firewall_B.
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step 13 Verify the configuration (3)
Query the IPSec policy list and IPSec monitoring list on Firewall_C.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Networking diagram
The LAC client connects to the LNS at the headquarters over the Internet. The LAC client is required to initiate a connection request directly to
the LNS, and the communication data with the LNS is transmitted through a tunnel. Firstly, L2TP is used to encapsulate the Layer-2 data for
identity authentication, and then IPSec is used to encrypt the data.
Item Data
Group name: default
User name: user0001
L2TP settings Password: Password@123
Address pool: pool 172.16.1.1 to 172.16.1.100
LNS Tunnel Password Authentication: Hello@123
Pre-shared key: Admin@123
IPSec settings Local ID: IP address
Peer ID: any peer ID
User authentication name: user0001
L2TP settings Password: Password@123
LAC Tunnel Password Authentication: Hello@123
Pre-shared key: Admin@123
IPSec settings
Peer address: 1.1.1.1/24
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step1 Configure interfaces
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step2 Configure security policies
1
2
3
4
Permit LAC clients to
communicate with
the firewall.
5
Permits the firewall to
communicate with
LAC clients.
6
Permit LAC clients to
access the servers in
the headquarters.
7
Permit servers at the
headquarters to access
the Internet.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step3 Configure routes
1
2
3
4
Configure a route to Internet. In the
example, the next-hop IP address from
Firewall to the Internet is 1.1.1.2.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step4 Configure L2TP users
1
3
Select L2TP/L2TP over IPSec for
Scenario and Local for User Location.
2
4 In the example, the user name is user0001,
and the password is Password@123.
5
Add a L2TP user.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step5 Add an IP pool
1
3
2
4
Add an IP address pool named pool,
the pool range is 172.16.1.1 to
172.16.1.100.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step6 Configure L2TP over IPSec
Configure the IKE/IPSec
proposal.
Set Scenario and 8
1 Peer Type, then
3 complete the basic
configuration.
4
2
In the example, the
pre-shared key is
Admin@123.
5
Add IP pool.
6
Add and set the following
parameters to configure
a data flow rule.
7
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step7 Configure L2TP group
1
3
Enable L2TP.
2
4 In the example, the tunnel
password is Hello@123.
5
Create a L2TP group.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step8 Configure SecoClient (1)
Set L2TP connection parameters.
The SecoClient is VPN remote access client software 3
provided by Huawei. It provides secure and convenient
access services for mobile office users to remotely access
resources in an enterprise network. Currently, you can
search and download the SecoClient on Huawei enterprise
support website http://support.huawei.com/enterprise.
Open the SecoClient.
1
4
2 Enable the tunnel authentication, the
Create a new connection. authentication password is Hello@123.
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step8 Configure SecoClient (2)
Select Pre-shared Key, the pre-shared Complete the IKE Basic
key is Admin@123. Configuration.
3
1
Select Enable IPSec Protocol.
2
Complete the IPSec Configuration.
Note: The preview effect may be slightly different from the source document. You can download the document and view it on your PC.